Forbid HTML string tooltips (#20935)

Tippy allows HTML strings to be passed as content but we do not use this
feature (we do pass HTML only as Element), so it's better to disable it
for increased security.

Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string

diff --git a/web_src/js/modules/tippy.js b/web_src/js/modules/tippy.js
index 6f3adadddc104804eafcd0ff1c69296939eb93e9..44e97e2a0fd4b05cbf2d7a720c4ebf7af70bcc81 100644 (file)
--- a/web_src/js/modules/tippy.js
+++ b/web_src/js/modules/tippy.js
@@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
     appendTo: document.body,
     placement: 'top-start',
     animation: false,
-    allowHTML: true,
+    allowHTML: false,
     maxWidth: 500, // increase over default 350px
     arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
     ...(opts?.role && {theme: opts.role}),